I Don’t Need a Badge – Lessons Learned from Physical Social Engineering

A covert entry assessment is a physical security assessment in which penetration testers try to gain access to sensitive or valuable data, equipment, or a certain location on a target site, without being detected. This article provides an introduction to covert entry assessments, and will address the many factors to consider when deciding on a pretext for physical social engineering. It also includes a story from a real engagement focusing on both the human side of physical security and how a common vulnerability can be exploited and remediated.

Deciding on a Pretext

The technique of social engineering in-person is often referred to as physical social engineering or in-person social engineering. For penetration testing organisations, the type of engagement this would be used on is typically called a covert entry, physical social engineering, or an onsite social engineering engagement. For the sake of simplicity and consistency, in this post the technique and engagement type will be referred to as physical social engineering and covert entry assessment, respectively. Additionally, while many of the behaviors and thoughts discussed below pertain to penetration testers, it is also possible and, in some cases likely, the same thoughts are had by disgruntled employees or other individuals with malicious motives against a given company or site.

In all types of social engineering, the explanation for an email, call, or physical visit is called a pretext. When performing a covert entry assessment, many factors can affect which pretexts would be viable for a given target site.

From a physical security penetration tester’s perspective, ideally a pretext would not be necessary. If I can attempt to gain access to a target site without seeing or interacting with anyone, I would consider that to be the optimal scenario. While this can sometimes be the case, either out of necessity or for the sake of coverage, preparing pretexts is an important aspect of physical social engineering. If it is possible to remove an element that could result in an unsuccessful entry attempt, penetration testers and malicious individuals alike will absolutely do so. Removing the human element, even though that is almost always the weakest link, at a minimum reduces the number of unknown factors that could prohibit a successful covert entry.

In some cases, testers may choose to focus solely on the technical physical security elements of a site at first and, upon successful entry, attempt a second entry with a focus solely on the human element.

It would be remiss of me to discuss physical social engineering without mentioning that in some instances even while testing the human element, a pretext may not need to be used, but one should be prepared regardless. Tailgating, simply following someone into a room or office, into a target site is a typical example of this and is still a very viable entry technique.

Below are many of the factors penetration testers should consider when trying to determine which pretext to use on a given covert entry assessment.

Factors to Consider in Physical Social Engineering:

• Size of the office – The bigger the office or target site is in size, the higher the odds are that there are secluded areas of the site with low foot traffic. This can help with persistence and increase the total time a penetration tester can spend on a site without being detected.
• Office layout – Open layout style offices are significantly more challenging to move through unquestioned or unnoticed, especially compared to rows of cubicles, some of which may be empty on a given day.
• Hours of operation – If a target site has people present 24/7, the importance of the pretext is increased significantly as attempting to gain entry when the office is empty is not an option.
• Multi-tenant building – When it comes to physical social engineering, one of the easiest targets for attackers is multi-tenant buildings. A multi-tenant building is a commercial property owned by an individual or a company that houses multiple offices rented by other companies. If the office is located within a building shared by multiple different companies, it is considered a multi-tenant building.

From a pretext perspective, having the in-scope site located within a multi-tenant building adds the potential for building management impersonation.

Even within a given pretext, the backstory for a pretext can be approached in multiple ways. For example, if the pretext is that electrical testing is being performed on all offices within the wider building, the reason behind it, if prompted, can vary. Some options include: “another tenant is renewing and renegotiating their lease and as part of that process they requested fixed electric testing” or the more generic “building management has requested electrical testing due to reported instances of electrical issues and outages”.

There are pros and cons to either of these further explanations, although in physical social engineering there is a difficult balance to reach of providing enough information to appear legitimate but not so much information as to raise suspicion or include aspects which are easily verifiable and disproven. Ultimately, the success of an interaction will also depend heavily on which employee answers the door. A naturally suspicious and rule-following employee versus an employee who is less vigilant about security policies can significantly impact the odds of a successful entry attempt using physical social engineering.

Additional things to consider are:

• Number of employees at the target site – If a given target site has less than twenty employees physically present, the feasibility of impersonating an employee that works at that office is reduced significantly. That said if either open-source intelligence (OSINT) or based on conversations with the client reveals that certain employees are rarely in the office, pretending to be one of those employees or a generic employee back from vacation may be viable. It is also valuable for clients when physical security penetration testers assess the office visitor policies as well. If a visitor is given a guest badge and the badge is not requested to be returned at the end of the day, depending on the permissions of said badge, that could be both a vulnerability and a potential means of covert re-entry.
• Number of offices in a given country – Especially these days, many company offices are fairly siloed and do not necessarily interact significantly, especially in person, with other offices. As such visiting a New York office and claiming to be an employee from the Chicago office can be a viable pretext.
• Drop ceilings – While physical security penetration testers ideally want to get in and out of a target site as quickly as possible, there are instances in which using time to one’s advantage is necessary to gain access to a target site. If that site is a corporate office within a multi-tenant building with employees working a standard 9 to 5, a security guard is present during those hours, and janitorial services arrive at 10 pm, then climbing into a drop ceiling in a secluded part of the building at 4 pm and then attempting to gain access to the target office at 5:30 pm once everyone has left may be a viable option. If the tester enters the main building too close to the main building’s closing time, assuming there is a security guard, that increases the odds of suspicion, especially if their pretext was just needing to use the bathroom, dropping off a food or mail delivery, essentially anything that implies one would be leaving soon after they arrived and having not being seen leaving could raise suspicion.
• Bathrooms in the office – Hiding in a bathroom stall with an out of order sign can buy penetration testers some hiding or thinking time, however, the sign being present too long or if one employee is particularly observant or suspicious, this could backfire or result in the tester getting caught. Using a drop ceiling in a bathroom is also a particularly helpful combination of known factors.
• Easy to hide in rooms – If knowledge of the office layout is known ahead of time either via OSINT discovery of blueprints or due to onsite reconnaissance, rooms that could be useful and/or are easy to hide in for a period of time could influence the used pretext to get into the office and/or in the event the tester is caught. If the target hiding room is a server room, then an internet service provider or general network troubleshooting pretext may work well. For other rooms, the best pretexts utilize what is likely to be present in a room without necessarily having seen the inside of said room. Examples of what most rooms in a corporate office will have include electrical outlets, Ethernet ports, smoke alarms, and sprinklers. Pretexts that would explain interactions with any of those would be viable, such as fixed electrical testing, fire sprinkler inspection, a check relating to a recall, or a maintenance request.
• OSINT results – Scheduling a job interview with the target site can be a viable means of gaining access to the site, assuming the target is a corporate office, from which at a minimum some onsite reconnaissance can be performed and at most the tester may drop a device on the internal network or simply hide somewhere in or near the office and not leave. The biggest factors that can prevent this from being a viable pretext and method of entry include: the number of interviews that may need to occur before an in-person interview or office visit occurs (from a time commitment perspective), whether any in-person interactions even occur as part of the interview process, and the odds a tester can get an office visit scheduled on one of the exact days they are performing the covert entry assessment.
• Scope – At its most basic for any security assessment this is who and/or what a tester is assessing. Regarding pretexts and physical social engineering, this means who one is testing and what site is to be tested. In most instances a multi-tenant building and its employees are considered out of scope if the company being assessed is one of the tenants of the building.
• Security factors – Security guards, cameras, and alarms are among the biggest threats to physical social engineering and covert entry attempts. Attempting to enter an office outside of normal business hours and triggering an alarm will be difficult, but not impossible, to explain to a security guard. Posing as a new and on-call IT employee who does not know the alarm code is at least plausible. In instances with security guards in a multi-tenant building, multiple pretexts may be used throughout any given covert entry attempt. One example would be posing as a mail or food delivery person delivering to the target office, as the pretext for the security guard, and then changing clothes and posing as a maintenance worker once at the target office.

While pretexts can significantly influence the likelihood of success of a given covert entry attempt, there are many factors outside of a physical security penetration tester’s control that can impact the success or failure of an entry attempt. Onsite reconnaissance can help remove or add potential pretext options based on observed behaviors. For instance, if employees are regularly holding the doors for those walking behind them or if there is a side entrance used primarily by third-party vendors, etc. Dedicating preparation time for viable pretexts that fit the engagement and in-scope site can help testers decrease the odds of failure or being caught due to an insufficiently convincing or practical pretext.

Human and Technical Physical Security – Real World Example

One particularly memorable engagement had multiple elements including an onsite physical security and internal infrastructure assessment at an undisclosed location.

As discussed earlier, an appropriate pretext based on the target site’s factors is of the utmost importance. Since the target site was a small office with few employees present on a given day in a multi-tenant building, a building maintenance pretext seemed like the best option for getting into the office. I began removing the badge reader from the wall to install a backdoor on it using a tool called an ESPKey, but as a number of employees badged into the target office, I was instead able to simply follow them in. An ESPKey is a small device that when attached to a badge reader’s wires, effectively backdoors the badge reader and can store and replay any and all badge reads that occur after its installation.

Once inside, I was able to open the locked server room door, the primary goal for the engagement, using a technique called latch loiding. I will discuss this technique in more detail later in this post.

Further into the engagement, I was deliberately performing suspicious activities and wearing the clothing from multiple different pretexts at the same time in an effort to get caught and establish some baseline on what suspicious activities would actually cause employees to start asking questions. Sometimes with physical security the wrong question to ask is no question at all. In my opinion “Why is a man wearing a delivery person’s baseball cap, business casual clothes, without a tool bag or belt and a backpack working on our office’s badge reader? or “Why is a random guy going under a desk and messing with some wires in the middle of our office?” were the questions that should have been asked in those situations.

Latch Loiding

On the first day of the internal infrastructure element of this engagement, I did not have a visitors badge with which to badge myself into different parts of the wider office building. As a penetration tester, instances in which we are not provided the necessary credentials are opportunities to test proper authorization controls. While performing the physical security assessment, I noticed that several doors, in addition to the server room, had improper strike plate placements which could be abused to bypass the associated door’s badge reader or lock.

The picture below highlights this issue.

The semi-circular part of the latch that can only be seen on the “Improper Installation” image is often called a deadlatch. When the deadlatch is fully depressed, the main part of the door latch cannot be pressed in. The purpose of the deadlatch is to prevent the primary door latch from being moved by a tool as opposed to the door handle itself. In movies or TV shows when a character uses a credit card or something of a similar size and material to break into a room, this is the vulnerability they are taking advantage of. If the strike plate is not installed to cover the deadlatch, then the deadlatch is not fully depressed or engaged, and the primary door latch can be moved. In doing so, this will bypass any door access controls such as a badge reader.

This is a very common vulnerability and is often abused in covert entry and physical security assessments. There are a variety of names used to refer to this technique and the associated vulnerability including “latch loiding,” “shimming,” “strike plate bypass” amongst others. The tool itself usually used to exploit this vulnerability is also known by several names but will be referred to as a “traveller’s hook” for the remainder of this blog post. Generally speaking, if the deadlatch is visible then the door is likely vulnerable to “latch loiding”.

Traveller’s Hooks on a Budget

As a further demonstration of the risk of this vulnerability and the ease of exploit, I decided to use materials the client had on hand within the office itself to create an improvised traveller’s hook and open a locked office door. The image below shows what a traveller’s hook usually looks like.

The following are the options that had potential, and if I had a little more time would most likely have been successful:

• Twist ties – Based on what I saw during my experiments, softer items tend to follow the curve of the door latch which, depending on the latch orientation, can be the opposite of where pressure should be applied in order to depress the latch. Generally speaking, “latch loiding” consists of pushing and slowly wedging / moving the latch inward. Simply shoving or pulling a tool back to front or vice versa, depending on the latch orientation, often will not fully depress the latch and as such the door will not open.
• A wooden coffee stirrer – This might have worked with a bit more time and patience, but the stirrer did not seem flexible enough nor was there enough space to effectively get parts of the stirrer on both horizontal sides of the latch.
• Wine bottle opener – The knife part of the bottle opener I was trying to use as the makeshift hook kept fully extending while I was trying to use it. Ideally with a traveller’s hook, the tool should have a 90-degree angle to help pull and push in the latch. That said the gap in the door jamb was too narrow to fully fit enough of the wine bottle opener anyway.

After trying the above, and a few other even less successful options (plastic utensils would simply snap when I tried to bend them into a useful shape), I encountered the perfect tool on a small tool and office supplies desk: an Allen wrench (I believe it was either 5/32 or 3/16), which allowed me to open the door.

When entering the room after a valid badge was presented to the reader, the door would unlock accompanied by a loud mechanical sound. After successfully testing my theory on the badged door bypass using the aforementioned Allen wrench, I was able to enter without needing to use my guest badge.

Asking the Right Questions

An employee got up as I was entered the room, presumably noticing the lack of the audible lock movement yet the door was opening. The employee asked, “Did the badge not work?”. On its own I suppose this is a reasonable question given the context, based on the clues (the door opening and the lack of noise of someone badging in). However, in my opinion this is an example of missing the forest for the trees. If one takes the theory that the badge did not work a step further, that leads to what I believe is a better question to ask, “how did you get in here?”. The only other situation in which I could enter that part of the site, outside of using physical security bypass techniques, would be having another employee badge me in, except as has been established, there was no audible and loud sound of the door unlocking after a successful badge read.

I share the story relating to the wrong questions being asked, or indeed questions not being asked at all, not in order to shame those featured in it or others who have made similar mistakes or missed out on an important detail. Rather, I hope this story can serve as examples of the importance of small details when it comes to security, as well as the importance of security awareness of employees. Assumptions that “surely one of our employees would say or do something” if a suspicious scenario occurs can often be inaccurate. These assumptions should be tested to ensure that these beliefs are in fact correct and employees will respond as trained in unusual circumstances.

Conclusion

Perhaps the most important lesson here is that testing your physical locations can validate the effectiveness of the processes and training you have in place. Not only do consultants try and bypass your security controls, but they can offer an insight into the actions a malicious actor might take and identify areas for additional improvements. One of the lessons I learned here was that adding an Allen wrench or two to one’s everyday carry (often abbreviated to EDC) could be a useful practice for physical security professionals. Allen wrenches are far less conspicuous than a traditional traveller’s hook and I found it worked just as well.

If you are interested in having a physical security vulnerability assessment or covert entry assessment, please contact [email protected].